Welcome to the Family - Symantec Control Compliance Suite Vulnerability Manager

Machine Translations

Symantec recently launched a new member of the Control Compliance Suite family - Symantec Control Compliance Suite Vulnerability Manager (CCS VM). This new product will help you when you are challenged to answer questions like which databases, servers and network devices are vulnerable to hacker attacks, which Web applications are exposed to SQL injection, and cross-site scripting threats, which unmanaged devices pose a security risk to your critical systems, or which vulnerabilities should receive highest priority for remediation efforts.

How is this product working? Well, first of all, it scans host operating system, database and Web application (including AJAX and Web 2.0 applications) for vulnerabilities by using a unique vulnerability chaining mechanism to identify cumulative risks and attack vectors. As of today CCS VM provides scanning for more than 54,000 regularly updated vulnerability checks across 14,000+ vulnerabilities. It includes vulnerability content for the most popular database management systems, including MS SQL, IBM DB2, MySQL, Sybase, Informix, Oracle, PostgreSQL and others. The agent-less, native 64-bit scan engine provides high-performance scanning for faster results. In addition, a risk scoring algorithm provides insight into whether or not a vulnerability is exploitable.
In particular on Microsoft, CCS VM receive updated vulnerability checks within 24 hours of Microsoft Patch Tuesday. It included checks for Red Hat Enterprise Linux patches, and provides other applications coverage, i.e. for Adobe Flash & Reader, Cisco IOS, Mozilla Firefox, Solaris, Sun JVM, etc.

Last but not least, it is highly scalable via distributed scan engine architecture, and contains an open, standards-based integration API.

In summary, CCS VM is a comprehensive expert technology, it scans entire Web application, database and operating system stack for vulnerabilities including mechanism for vulnerability “chaining” that enables detection of hidden vulnerabilities, and confirms whether exploits actually exist or not.

So why Vulnerability Management matters? The answer is simple, investing into automating vulnerability management just pays. The recent published research by the IT Policy Compliance Group clearly shows that automating the procedures to find and fix vulnerabilities and unknown exploits in IT systems
- Reduces unexpected business downtime from IT disruptions
- Reduces the likelihood of data loss or theft
- Contributes to reductions in security and audit deficiencies in IT
- Is justified, with returns easily exceeding 150 percent annually

You can get more information about it from the attached 2 page summary of the report, or get a full copy of this and related reports from the IT Policy Compliance Group website: www.itpolicycompliance.com.

If so, is there a discovery license to monitor all the unused IP addresses in the network?

i.e. in a subnet with 254 possible hosts, only 4 hosts are connected. Hence, a 4-license pack will suffice to scan those 4 hosts... what about the other 250 "dead" IPs? These need to be checked to ensure that no rogue hosts are connected to the network, but buying 254 IP licenses would be prohibitive.

I know Rapid7 do a discovery license pack, which doesn't check for vulnerabilities, but allows you to scan the entire estate to see if there is a host connected at each potential IP. Does Symantec do this as well?

Hello. CCS VM licensing consists of a CCS VM base license plus additional IP packs or combinations of them (1.000, 5.000, 10.000, 65.000). The base license includes unlimited consoles, scan engines and templates for PCI. It also activates scanning and provides access to the console for user management and reporting. The base also includes functionality for scanning Web servers and is bundled with the ability to discover devices/assets in your environment.

Therefore, with the base license you will be able to discover devices in your environment without any limitation to a certain amount of IP's, but the vulnerability scans are bind to the amount of licensed IP packs.

I am not aware of a product benchmark comparison so far, but you will see some capabilities comparison as part of the Gartner Market Scope for Vulnerability Assessment and the Forrester Wave for Vulnerability Management. Please not that Symantec Vulnerability Manager is using the Rapid 7 Nexpose Engine, therefore you can apply the results for Rapid 7 to Symantec Vulnerability Manager, as the underlying engine is fully equal: